Generative AI Acceptable Use Policy for governing employee use of ChatGPT, Claude, Copilot, and AI tools.
Price
$79
One-time. No subscription. Use forever.
Delivered immediately after checkout — your template and guide links are emailed to you with your receipt.
Used by compliance teams at banks, fintechs, and asset managers
◆ Quick buying summary
◆ What's included
Use rights: customize for internal business use and use outputs with your auditors, customers, bank partners, and regulators. Do not resell or redistribute the template files.
◆ Preview
Employee Use Case Intake Form — low-touch ~5-minute structured form with 18 data-validation dropdowns and a cascading auto-routing formula that produces Approved / Conditional / Route to Vendor DD / Escalate / Declined based on Pre-Approved use case match, Approved tool status, data class fit, and Prohibited use detection
Data Classification × Tool Tier Matrix — four data classes (Public / Internal / Confidential / Restricted) mapped against tool tiers (consumer / enterprise / prohibited) with conditions for each. The load-bearing piece of the policy.
Approved Tool List — Enterprise (M365 Copilot, Claude for Enterprise, GitHub Copilot Business, ChatGPT Enterprise), Consumer (free ChatGPT, Claude.ai, Gemini consumer), and Prohibited (open-source local LLMs, AI browser extensions, DeepSeek) with vendor DD status fields and an explicit "verify against your contract" warning
● Case file
Generative AI moved from "experimental" to "examined" between 2023 and 2026. The pattern of incidents and regulatory actions defines the scope of what an AUP must address.
Engineers at Samsung uploaded proprietary source code and internal meeting notes to ChatGPT in three separate incidents. The AI tool retained that data.
Why it mattersA structured AUP that draws clear lines between permitted and prohibited use (Data Classification × Tool Tier matrix, Prohibited Uses) is the alternative to a blanket ban.
NIST identified 12 unique risk categories for generative AI — including data privacy, hallucination, homogenization, and "confabulation" — that do not appear in traditional model risk frameworks.
Why it mattersA dedicated GenAI AUP — distinct from your MRM policy — is the structural answer to what NIST AI 600-1 identifies as GenAI-specific risks.
FTC launched five enforcement actions targeting deceptive use of AI in consumer-facing contexts.
Why it mattersOutput Handling Rules (Tab 8) — especially the meaningful-human-review requirement for adverse-action communications — directly address this exposure.
Every layer of this kit is built to be defensible to an examiner reviewing your GenAI program — from data-class-to-tool-tier mapping, to vendor DD, to incident response, to employee training and attestation.
◆ Why now
Your MRM policy governs production AI/ML systems. Your employees are using ChatGPT, Claude, Copilot, and Gemini today — for drafting, summarization, code, marketing copy, customer responses. The gap between those two layers is what examiners and bank partners now ask about. This kit closes the gap.
◆ Regulatory alignment
This kit was built to operationalize the documented compliance expectations applicable to employee-facing generative AI use in 2026.
Last updated: May 24, 2026
◆ 30-day money-back guarantee
If this template doesn't meet your expectations, email us within 30 days for a full refund. No questions asked.
◆ Template guide
How to build a Generative AI Acceptable Use Policy for employees: data classification × tool tier matrix, approved tool list, pre-approved use cases, low-touch employee intake form, vendor due diligence, detection, and AI incident response.
◆ Usage, access, and purchase details
Yes. The template is intended to be edited for your internal business use and adapted to your controls, owners, products, vendors, and evidence.
Yes. You can use completed outputs with auditors, customers, bank partners, regulators, and internal stakeholders. Do not resell or redistribute the source template files.
Checkout is handled through Stripe. After purchase, you receive the template and guide download link immediately on the confirmation page and by email, along with your Stripe receipt. No account is required.
Email within 30 days for a refund. The guarantee is meant to remove purchase risk while you evaluate whether the template fits your use case.
◆ FAQ
Your existing AI policy was probably built for production model risk (SR 11-7 / OCC 2026 model risk guidance / NIST AI RMF). That framework governs production AI/ML systems that make business decisions — credit models, fraud detection, AML monitoring. This kit governs the employee-facing layer above that: ChatGPT, Claude, Copilot, Gemini, and AI features embedded in third-party SaaS. Production AI/ML systems still go through your MRM program; this kit covers the part of AI use that sits in front of employees.
The structural answer is the Pre-Approved Use Cases list (Tab 5). For the 15 common patterns on the list, employees do not need an intake — they self-serve. The intake is only for new tools, new use cases for approved tools, or new data classes within an approved use case. That keeps the friction low. The other structural answer is detection: DLP and browser allow-list backstop the policy, and the AI Incident Response runbook treats shadow AI as an intake event rather than a discipline event — the goal is to surface the underlying use case and add it to the Pre-Approved list, not punish individuals.
Northstar Lending — a fictitious mid-size consumer lender (~600 employees). The example walks through: program setup (Data Classification Matrix, Approved Tool List customization, Pre-Approved Use Cases tailored, Vendor DD Register populated), an auto-approved intake request (marketing analyst summarizing public earnings calls), an escalated intake request (customer support using customer data in Claude for Enterprise — Conditional Approval with specific conditions), two incidents (a shadow AI browser extension discovered via DLP, and a Critical MNPI exposure when a finance team member pasted pre-earnings draft language into consumer ChatGPT), and the annual attestation results.
Four data classes (Public, Internal, Confidential, Restricted) mapped against three tool tiers (Consumer / Enterprise / Prohibited). Public can go in any tier. Internal and Confidential are Enterprise-only (with no-training opt-out and DPA in place). Restricted (MNPI, PHI, credentials, attorney-client privileged) is generally prohibited in any AI tool. The matrix is the load-bearing piece of the policy — what you input determines what tier of tool you can use.
Starter entries for Microsoft 365 Copilot, Claude for Enterprise, GitHub Copilot Business, and ChatGPT Enterprise (Enterprise tier, approved for all non-Restricted data classes); ChatGPT free, Claude.ai consumer, Google Gemini consumer (Consumer tier, restricted to personal use with Public data only); and explicit Prohibited entries for open-source local LLMs (Ollama, LM Studio), unapproved AI browser extensions, and DeepSeek / sovereign-access AI services. You customize the list to your actual tenant.
The kit reflects emerging 2026 state AI law expectations including the Colorado AI Act (revised effective date June 30, 2026 — verify current status with counsel), which regulates high-risk AI systems making consequential decisions. The Prohibited Uses include AI-only adverse-action decisions about customers without meaningful human review — an approach informed by ECOA, FCRA, and the Colorado AI Act's direction toward meaningful human oversight of consequential automated decisions; the specific obligations of each regime should be confirmed with counsel for your products and jurisdictions. For EU AI Act exposure, additional review with EU counsel is recommended; the framework is structurally compatible but the kit does not include EU-specific compliance attestations.
30–60 minutes for setup: align Data Classification Matrix to your existing Information Classification Policy, populate Approved Tool List with your tenants, customize Pre-Approved Use Cases, populate Vendor DD Register. Then 30 days for employee training and annual attestation, coordinated with HR. The Manager Talking Points appendix gives leaders the script for team rollout.
● First-time buyer offer
Get 20% off your first template.
Drop your email and we'll send the code.
◆ Not ready to buy?
141 pre-populated fintech risks across 21 categories. ISO 31000 structure.
Download free Risk Register →◆ Related templates
Comprehensive AI model governance and risk assessment templates for financial services teams.
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Ready when you are
Start building a defensible risk program today.